Tuesday, February 10, 2015

Why Privacy Policies Must be Personalized

(This was cross-posted.)
The best argument for why companies should never simply copy and paste the text of another entities' privacy policy onto their own website can be found in the recent announcement by the FTC of a settlement reached with Snapchat – relating to misrepresentations contained in the Privacy Policy, among other things. (Snapchat is not alleged to have used someone else's Privacy Policy as its own; however, its mistakes in its public statements about its products illustrate fully that companies should say what they mean, and mean what they say in their privacy policies!)
The FTC's Complaint Against Snapchat
On December 31, 2014, the Federal Trade Commission (FTC) announced its approval of a final order settling charges against Snapchat for deceptive trade practices in the form of:
1) Snapchat's misrepresentations to consumers that images or videos shared through Snapchat would actually disappear within the timing set by the consumer (and in no event more than 10 seconds after shared);
2) False promises that if a recipient were to take a screenshot of the image, the sender would be notified; and
3) Misrepresentations about the nature and scope of the data actually collected from a user's phone the Snapchat's Find Friends tool.
See also "FTC Approves Final Order Settling Charges that Snapchat Deceived Users," Bloomberg BNA, Social Media Law & Policy Report (Jan. 5, 2015); see also In re Snapchat, Inc., FTC No. 132-3078, Final Order (Dec. 23, 2014).
In addition to these claims about Snapchat's misrepresentations about its data collection and use, the FTC also alleged that Snapchat failed to secure its Find Friends feature, which failure resulted in a security breach in December 2013 relating to a database of 4.6 million Snapchat usernames and phone numbers. FTC Press Release, "Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False; Snapchat Also Transmitted Users' Location and Collected Their Address Books Without Notice or Consent" (May 8, 2014).

Settlement with the FTC
On December 23, 2014, following the public comment period, the FTC formalized its complaint and gave final approval to the settlement, which requires Snapchat to:
  1. Implement a comprehensive privacy program that will be monitored by an independent privacy professional (a third-party whom Snapchat has to pay) for the next 20 years;
  2. Hire this independent privacy professional to conduct a follow up review every two years and provide a compliance report to the FTC;
  3. Conduct this two-year review until December 23, 2034;
  4. Revise Snapchat's privacy policy, product descriptions, advertising and any other public statements to disclose accurately the following:
    • The extent to which a message is deleted after being viewed by the recipient;
    • The extent to which Snapchat or its products/services are capable of detecting or notifying the sender when a recipient has captured a screen shot or saved a message;
    • The categories of personal information that Snapchat actually collects; and
    • The steps taken to protect against misuse or unauthorized disclosure of covered information.
  5. Maintain records for at least five (5) years of the following types of documents:
    • Every communication to consumers about the extent to which Snapchat "maintains and protects the privacy, security and confidentiality of any covered information";
    • All consumer complaints directed at Snapchat, or forwarded to Snapchat by a third party, that relate to the conduct prohibited by this order and any responses to such complaints;
    • Any documents that contradict, qualify, or call into question Snapchat's compliance with this order; and
    • All materials relied upon to prepare the required Assessment, "including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, for the compliance period covered by such Assessment."
Id. Lest anyone mistakenly believe that these consequences are not serious because there is no monetary penalty assessed, note that Snapchat risks civil penalties of $16,000 per violation per day if it fails to abide these terms. See  Letters to Commentators, at 1 (Dec. 23, 2014) (as provided by Section 5(1) of the FTC Act, 45 U.S.C. § 45(1), as adjusted by 16 C.F.R. § 1.98(c)).
Also note that the preparation of each of the items identified above will "cost" Snapchat money in terms of employee, consultant and/or contractor time, and in taking these resources away from working on money-making endeavors, whether they receive salaries or some other compensation.

Similar Settlement with Maryland Attorney General
In the midst of this dispute with the FTC, in June 2014, Snapchat settled a similar complaint with the Maryland Attorney General.
In its Complaint, the Maryland AG accused Snapchat of collecting data from its users' electronic address books without their knowledge or consent and "knowingly collect[ing] e-mail addresses and photographs from users younger than 13." "Snapchat to Pay $100,000 in Settlement with Maryland Over Privacy of User Snaps," Bloomberg BNA Social Media Law & Policy Report (June 12, 2014); Jeff Clabaugh, "Snapchat pays Maryland $100K in settlement," Washington Business Journal (June 12, 2014).
The settlement agreement with the Maryland Attorney General requires Snapchat to:
  1. Create and publicize mechanisms for users to report accounts that may be used by children;
  2. Provide notice and affirmative consent before Snapchat could collect any address book data – and this notice must appear separately from the user's agreement to the general terms of service; and
  3. Provide Maryland with annual reports for the next 10 years, documenting its compliance with the settlement.
CONCLUSION: Privacy Policies Must be Customized
There is no single, standard form privacy policy. Instead, privacy policies have evolved as a place where web sites disclose to users what data are collected, from which users, and how the data are then used. Privacy policies must disclose correctly how that particular site collects and uses data. See Privacy Policy, Wikipedia (last modified Jan. 10, 2015) (provides a good summary of the history of privacy policy development).
As a result, never simply block and copy an entity's Privacy Policy and adopt it as your own. You have no idea why the other entity included the technical and/or detail oriented promises in its Privacy Policy, and simply copying because it "looks good" is a bad idea and can subject you to enforcement liability.
In fact, the only promises that should appear in your Privacy Policy about what you do with data, cookies, personal information, or other data you collect from a user's device are those things you actually do.
Christopher Olsen, assistant director of the Division of Privacy and Identity Theft Protection in the FTC's Bureau of Consumer Protection, actually stated it best:
The agency [the FTC] certainly supports and encourages the development of privacy protective products, but if there is one message we want to make sure is clear today, it is that, if you make promises about privacy, you must honor those promises; otherwise you risk FTC enforcement action.
"Snapchat Settles FTC Accusations of Failure to Purge 'Snaps' by Senders," Bloomberg BNA Social Media Law & Policy Report (May 8, 2014).
Copyright (c) 2015, Christina D. Frangiosa, All Rights Reserved.